Manualshelf

HP StorageWorks 9100 Extreme Data Storage System administration guide V1.0.2 (AN540-96018, February 2010)

ManualsBrandsHP ManualsStorageExtreme Data Storage
81828384858687888990
Unless needed for a specific purpose, the general policy is to disallow traffic on all ports. The HP
ExDS9100 firewall prevents unnecessary network traffic on the HP ExDS network infrastructure.
However, it is not intended as a replacement for normal security procedures.
Use the following command to view the current set of rules used by iptables:
# iptables --list
The firewall filters are constructed in four chains:
MXSO-Core-Filter Permits all traffic over local and management LAN interfaces
MXSO-Internal-Filter Permits ExDS cluster communications between server blades over external
interfaces
MXSO-External-Filter Permits external NAS communications over well known ports
MXSO-User-Filter Permits miscellaneous and user-defined traffic over the firewall
IMPORTANT:
Only modify the MXSO-External-Filter and MXSO-User-Filter chains. Do not modify the other chains;
they are critical to the correct operation of the system.
The original/factory firewall configuration is stored in /etc/sysconfig/iptables.mxso. Do not
modify this file.
Opening a port through the firewall
To open a port, modify the MXSO-User-Filter chain. For example, to allow port 555 use the following
commands:
# pdsh -a iptables -I MXSO-User-Filter -p tcp -m tcp --dport 555 -j ACCEPT
# pdsh -a service iptables save
If a server is down at this time, don't forget to update the firewall rule when the server is next rebooted.
NOTE:
Do not stop and restart iptables while the system is in operation. This is known to cause interruptions
in existing connections. Use the modify/save cycle as described in this section.
Closing a port through the MXSO-External-Filter chain
To close a file service protocol port, modify the MXSO-External-Filter chain. For example, to make
CIFS port 445 unavailable, disable it as follows:
# pdsh a iptables -D MXSO-External-Filter -p tcp -m tcp --dport 445 -j
ACCEPT
# pdsh a service iptables save
Restricting a port to an IP
To restrict a file service protocol port to a particular IP subnet, modify the MXSO-External-Filter chain.
For example, to restrict http port 80, use the following process:
9100 Extreme Data Storage System administration guide 89